Managing Your ServiceNow Incidents

Role Availability Read-Only Investigator Analyst Manager

After the BlueApp for ServiceNow is configured and users execute the supported actions In USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured BlueApp. directly or through an orchestration rule, you can easily view a list of the ServiceNow incidents created by USM Anywhere and look at the events, alarms, and vulnerabilities related to the executed actions.

Viewing ServiceNow Incidents Created by USM Anywhere

In USM Anywhere, you can view a list of incidents created by an action applied directly to an alarm Alarms provide notification of an event or sequence of events that require attention or investigation., event Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall., or vulnerability A known issue or weakness in a system, procedure, internal control, software package, or hardware that could be used to compromise security., as well as any from actions that were triggered by an orchestration rule. From the list, you can open the incident in your ServiceNow account to view additional information about the incident or make updates to the incident, such as assigning the item to a team member or changing the priority.

To access the ServiceNow incidents

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click the tab for the incidents type that you want to display.

    The available incident types depend on the ServiceNow products that are active for the ServiceNow user account configured for the BlueApp.

    Select Service Desk Incidents to view incidents created in the IT Service Management product.

    If your account has the ServiceNow Security Incident Response (SIR) product enabled, click the Security Incidents tab to view the security incidents created in that product.

    View the ServiceNow incidents associated with USM Anywhere

    The displayed list includes all ServiceNow incidents generated by USM Anywhere, with the most recently opened items at the top. Here you can view the current status and assignment for the incident as reported by your ServiceNow instance.

  5. Click View to open the incident in the ServiceNow user interface (UI).

    In ServiceNow, you can assign the issue, change its status, access the source of the incident in USM Anywhere from the link included in the ServiceNow incident, or perform any of the functions supported for your account.

    Click View to launch the ServiceNow UI and open the incident

Filtering the Labeled Alarms and Vulnerabilities

USM Anywhere uses labels as a mechanism to classify alarms and vulnerabilities. These labels make it easy to filter items by label so that you can locate them easily and track their status. When the BlueApp for ServiceNow executes a response action for an alarm or vulnerability, it automatically applies the ServiceNow label to it. You can use this label as a filter so that a page displays data for only those items related to an BlueApp for ServiceNow response action.

To view ServiceNow action alarms or vulnerabilities

  1. Open the Alarms page or Vulnerabilities page.
  2. If the Search & Filters panel is not displayed, click the icon to expand it.

    USM Anywhere includes several filters displayed by default.

  3. Locate the Labels filter and select ServiceNow.

    Use the Labels filter to view items with the ServiceNow label

    If the Labels filter is not displayed, click Configure Filters at the bottom of the Search & Filters pane to configure filters for the page. See Managing Filters for more information about configuring filters for the page display.

    In the displayed list, you can scroll the list to the right and view the Labels column.

    Scroll the list to the right to view the Labels column